The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses subprocess.run in scripts/utils_video.py to invoke ffmpeg for frame extraction and video reassembly. These calls use argument lists rather than shell strings, which is a secure practice to prevent command injection.
[EXTERNAL_DOWNLOADS]: The scripts/glm_grounding_cli.py script downloads images and videos from user-provided URLs. It includes a robust validation mechanism (_is_public_url) that prevents Server-Side Request Forgery (SSRF) by blocking localhost, private network ranges, and reserved IP addresses.
[SAFE]: The skill implements safe secret management through scripts/config_setup.py, which guides users to store the ZHIPU_API_KEY in a local .env file and provides warnings to exclude it from version control.
[SAFE]: Data parsing in scripts/utils_boxes.py and other utility scripts uses ast.literal_eval instead of eval() to process model outputs, mitigating risks associated with executing arbitrary code from untrusted model responses.
[SAFE]: All external communications are directed to the official Zhipu AI endpoint (open.bigmodel.cn), and dependencies are standard, well-known libraries.

glmv-grounding